While none of those data became public — and it wasn’t a result of a cyber-attack but rather a common house burglary, it has become the most discussed cyber-security event, even more than four years later. And the event cost the agency $20 million in a settlement.
[Davis told] his staff on Tuesday to shift their focus from certifying that networks are compliant with a nearly decade-old law to monitoring systems for holes and real-time reporting of threats. The change is a watershed moment for federal information technology managers, who since 2002 have been required to follow a law that critics say forces IT staffs to spend days filling out reports that confirm technology managers have followed certain security procedures. The law did not require specific actions to secure systems, said opponents of the Federal Information Security Management Act. Jerry Davis, NASA’s deputy chief information officer for IT security, issued a memo to information system managers informing them they no longer need to certify every three years that their networks are compliant with FISMA, as called for by the law. Instead, they should rely on automated continuous monitoring to find holes that hackers could exploit. The process will remain in effect as long as agencies are required to submit annual status reports for networks and vulnerabilities detected during the monitoring don’t pose unacceptable risk.
Here is Davis’s most recent bio:
Jerry L. Davis is the Deputy Chief Information Officer (DCIO), IT Security for the National Aeronautics and Space Administration (NASA). Jerry’s role is to provide thought leadership and oversee all aspects of Information Security and privacy for the Agency to include the development and implementation of enterprise-wide IT security engineering and architecture, IT security governance and IT security operations capabilities. Jerry’s division also generates IT and data security solutions and services to the Agency’s Space Operations, Science, Exploration Systems and Aeronautics Research Mission Directorates programs and projects, while defending $1.8 billion in annual IT investments.
Previously, Jerry served as the DCIO for the Department of Education overseeing the day-to-day operations of the Department’s enterprise-wide IT infrastructure. During his tenure at the Department, Jerry also served as the Department’s first Chief Information Security Officer (CISO) and Director, Information Assurance (IA). In this role, Jerry’s teams proactively defended over $500 million dollars in annual IT investments, which supported the $400 billion dollar grants and loans portfolio.
Jerry was one of the principal thought leaders in the design, implementation and management of the District of Columbia’s first city-wide IT Security program and served as the Manager of Wide Area Network (WAN) Security Architecture. Jerry also held positions as a senior security consultant with several Fortune 500 consulting firms, serving clients in the Intelligence Community (IC), Department of Defense (DoD) and federal civilian agencies. Jerry held a staff position with the Central Intelligence Agency’s (CIA) Directorate of Operations (DO) for several years. Jerry is a combat veteran of the United States Marine Corps and trained as a Counterintelligence Specialist with focus on Human Intelligence (HUMINT) operations. He holds a masters degree in network security from a National Security Agency (NSA) Center of Excellence in Information Assurance and a bachelors of science in business with a concentration in IT security. Jerry has done doctoral work in the field of information systems and holds the Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP) certifications. Mr Davis won the People’s Choice Award at the 2009 Mid-Atlantic Region Information Security Executive of the Year and was selected as one of the 50 Most Important African Americans in Technology in 2009.